oss-sec mailing list archives
Re: CVE Request: cgit directory traversal
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 27 May 2013 12:01:27 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/27/2013 06:30 AM, Jan Lieskovsky wrote:
Thank you for the report, Jason.Hi Kurt, As mentioned in early messages to oss-sec, I've inherited maintainership of the cgit codebase and am gradually auditing it. Today I found a nasty directory traversal: http://somehost/?url=/somerepo/about/../../../../etc/passwd This should be pretty straightforward to categorize. Exploitation looks like: http://data.zx2c4.com/cgit-directory-traversal.png I've committed a fix for it here: http://git.zx2c4.com/cgit/commit/?h=wip&id=babf94e04e74123eb658a823213c062663cdadd6That patch doesn't seem to be applicable to cgit-0.9.1 version yet (there doesn't seem to be cgit_parse_readme() routine yet). Can you provide a patch that would apply against v0.9.1 version too? Or would this be just problem of master branch code? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response TeamAnd this fix will be in the master branch and a new release will be made soon. Cgit by default is not vulnerable to this, and the vulnerability only exists when a user has configured cgit to use a readme file from a filesystem filepath instead of from the git repo itself. Until a release is made, administrators are urged to disable reading the readme file from a filepath, if currently enabled. Thanks, Jason
Please use CVE-2013-2117 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRo593AAoJEBYNRVNeJnmTWKAQAJ8a7E2eRPWx8SYACGnrzkB+ Gb8yO/13gvSd1C/OwcooBPuOfASWhGbLOMRvrlKr9JzJMXTCNQ62Uz/OLB5+Vqzg XisOlqWtIRaP2uOHzYjpO+mC1CVKYuwhLeQR8RlrD8zGlDxxVheVgwP4n7CwmOXL kY2ZvHWq2EsmrlOS7dgRWo2mYhPOTQZ8JY3JUuFZhC4cxEgEZdv7XEJuuiWZzG8u Ovtd8f2nt08GBbz2i/ikVCwHWDLO37Je+GsfCswuilvZFNd0V/liPEcvI5ogooxW 6NJVCnGK4+qrCIY0SarlT4keCO7TnqwD++KeHfWEsdK3aRPIpkYkBEFi/WiCY0Ki r88x1xymNWyLdvNr0faZMw5q/DhWc9+3guv0blzzkZ71uXWChRLKgDIzTMGNHpob nVpG436o8Atk2k4nEsTS14fuiRx7rMDQuzYJRca3/Wn+lH4DBwuZshW5w9GccgLe xJllCgi1L7+XTwuoxxo8x6UiubXUAH4+AdxZ/G04pb96jjZAxCN5capn7BkpR6tc R+Pc5vpKsm5fpY6uXJPpm6ZFwYT8glXJqSuR9bWCqTSAYVs1BoljvGu0aCx5MO22 cjJxYmmpOgZ5DrYNNBokOBjUlphhRYHrpqqrsc2H7w/4cmNhg/A5G624EIsxnuTW 80p0he4NPrS/pXUrBCtU =BN+T -----END PGP SIGNATURE-----
Current thread:
- CVE Request: cgit directory traversal Jason A. Donenfeld (May 25)
- Re: CVE Request: cgit directory traversal Jan Lieskovsky (May 27)
- Re: CVE Request: cgit directory traversal Kurt Seifried (May 27)
- Re: CVE Request: cgit directory traversal Jason A. Donenfeld (May 27)
- Re: CVE Request: cgit directory traversal Jason A. Donenfeld (May 27)
- Re: CVE Request: cgit directory traversal Kurt Seifried (May 27)
- Re: CVE Request: cgit directory traversal Jan Lieskovsky (May 27)